Kerberos 5 Release 1.9.5

The MIT Kerberos Team announces the availability of the
krb5-1.9.5 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.

You may also see the current full
list
of fixed bugs tracked in our RT bugtracking system.

DES transition

The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release contains measures to encourage sites
to migrate away from using single-DES cryptosystems. Among
these is a configuration variable that enables "weak" enctypes,
which now defaults to "false" beginning with krb5-1.8.

Major changes in krb5-1.9.5 (2013-04-25)

This is a bugfix release. The krb5-1.9 release series has
reached the end of its maintenance period, and krb5-1.9.5 is the
last planned release in the series. For new deployments,
installers should prefer the krb5-1.11 release series or later.

Fix KDC null pointer dereference in TGS-REQ handling
[CVE-2013-1416]

Fix PKINIT null pointer dereference vulnerability
[CVE-2013-1415]

Fix KDC heap corruption vulnerability [CVE-2012-1015]

Prevent the KDC from returning a host-based service
principal referral to the local realm.

Incremental propagation could erroneously act as if a
slave's database were current after the slave received a full
dump that failed to load.

Add KDC support for SecurID preauthentication -- this is
the old SAM-2 protocol, implemented to support existing
deployments, not the in-progress FAST-OTP work.

Add "cheat" capability for kinit when running on a KDC host.

Protocol evolution

Add support for IAKERB -- a mechanism for tunneling
Kerberos KDC transactions over GSS-API, enabling clients
to authenticate to services even when the clients cannot
directly reach the KDC that serves the services.

Add support for Camellia encryption (disabled by
default).

Add GSS-API support for implementors of the SASL GS2 bridge
mechanism.

Known Bugs

Please note that the HTML versions of these documents are
converted from texinfo, and that the conversion is imperfect.
If you want PostScript or GNU info versions, please download
the documentation tarball.